This is a step where you can really tell that these instructions that we’ve been pointed to, leave a bit to be desired as they assume we have budgets for  lots of SSL certs.  In the SMB space we typically have one SSL cert, not even two and certainly no wild card SSL certificate.

I’ll be actually bugging some comments in this section as I really think we need way more guidance in this talking about the choices to make in this section.

Some folks have said that they do two certificates  – one for, the other for  Others say that with the Application request routing module enabled, that they can do it with one ssl cert.  In discussing this with people way smarter than I, I’m going to do this with two certificates, one for the other for

So read through this step, get as confused as I was and come back tomorrow when I’ll be attempting this step to see if we all can understand this a bit better.

Configure Exchange 2013 certificates


Estimated time to complete: 10 to 15 minutes (not including response time from the certificate authority)

Some services, such as Outlook Anywhere and Exchange ActiveSync, require certificates to be configured on your Exchange 2013 server. The following steps show you how to configure an SSL certificate from a third-party certificate authority (CA). These steps also show you how to add the legacy host name that’ll be configured on your Exchange 2007 server. In a later step, this certificate will be imported on your Exchange 2007 to help simplify the switch to the legacy host name.

  1. Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then click New Add Icon.

  4. In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.
  5. Specify a name for this certificate and then click Next.
  6. If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don’t want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.
  7. Click Browse and specify an Exchange 2013 server to store the certificate on. The server you select should be the Internet-facing Exchange 2013 Client Access server. Click Next. (we only have one folks)
  8. I called the server Exchange in my example
  9. For each service in the list shown, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example:
    • If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from the Internet) and Outlook Web App (when accessed from the Intranet) should show OAB (when accessed from the Internet) and OAB (when accessed from the Intranet) should show
    • If you configured the internal URLs to be, Outlook Web App (when accessed from the Internet) should show and Outlook Web App (when accessed from the Intranet) should show

    These domains will be used to create the SSL certificate request. Click Next.

  10. Click Add Add Icon to add the legacy host name to the certificate.
  11. In the Domain name field, enter your legacy host name. For example, Click OK.
  12. Add any additional domains you want included on the SSL certificate.
  13. Select the domain that you want to be the common name for the certificate and click Set as common name. For example, Click Next.
  14. Provide information about your organization. This information will be included with the SSL certificate. Click Next.
  15. Specify the network location where you want this certificate request to be saved. Click Finish.

After you’ve saved the certificate request, submit the request to your certificate authority (CA). This can be an internal CA or a third-party CA, depending on your organization. Clients that connect to the Client Access server must trust the CA that you use. After you receive the certificate from the CA, complete the following steps:

  1. On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.
  2. In the certificate request details pane, click Complete under Status.
  3. On the Complete pending request page, specify the path to the SSL certificate file and then click OK.
  4. Select the new certificate you just added, and then click Edit Edit Icon.
  5. On the certificate page, click Services.
  6. Select the services you want to assign to this certificate. At minimum, you should select IIS but you can also select IMAP, POP, and UM call router if you use these services. If you want to use secure transport, you can also select SMTP to make this certificate available to Exchange 2013 transport. Click Save.
  7. If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.
  1. How do I know this worked?

To verify that you have successfully added a new certificate, do the following:

  1. In the EAC, go to Servers > Certificates.
  2. Select the new certificate and then, in the certificate details pane, verify that the following are true:
    • Status shows Valid
    • Assigned to services shows, at minimum, IIS and optionally IMAP, POP, UM call router, and SMTP.

Blogging my way through a proof of concept migration from SBS 2008 to Essentials 2012 R2 series will be a SMB kitchen project whitepaper.  More about the SMBKitchen project at –


One Response to SMBKitchen: Configure Exchange 2013 certificates

  1. Keith Campbell says:

    Perhaps a single cert multiple domain UCC for $59.99?